COOKIES: Steps Towards Achieving Compliancy

PRE-SET-UP STEPS

Unless you can avoid using cookies altogether or unless you fall in to the exceptions from the new law requirements to (1) provide clear and comprehensive information about any cookies you are using; and, (2) obtain consent (the “Requirements”) (see page 12 of the ICO Guidance Download) (the “Guidance”), it is advisable that to take the following pre-set-up steps:

1. Check what type of cookies you use and how you use them;

2. Assess how intrusive your cookie usage is for each cookie;

3. Decide what solution to obtain consent;

4. Ensure you have an online Privacy Policy which makes reference to cookies; 

5. Ensure you have an online Cookie Policy (Note that if you merely mention cookies in your Privacy Policy, you are not doing enough. The Guidance insists on an unwavering adherence to the Requirements); and,

6. Take legal advice.

CONSENT

In view of practical and technological constraints to instigating sophisticated consent mechanisms, the Guidance acknowledges that attaining implied consent is maybe more practical than the explicit opt-in model , however, it also states how “explicit consent might allow for regulatory certainty”. It is clear that the more effort put in to satisfying Requirement (1), the more likely implied consent shall suffice for opt-in consent.

EXAMPLES

An example of explicit consent via an opt-in can be found at www.fasthosts.co.uk. Sites like www.barclays.co.uk have taken one step back but a giant step forward by not providing an immediate opt-in mechanism but by instead providing a disablement mechanism via pop-up window. A site relying solely on inferred consent currently is www.ipo.gov.uk. An almost hybrid dual option site allowing for explicit or inferred consent is www.website-express.co.uk. It is not uncommon for consent to be gained online using the terms of use or terms and conditions to which the user agrees when they register or sign up. There are other ways that have been bandied about such as reliance on the user’s pre-set browser settings or settings-led consent and browser-led consent all of which are beyond the scope of this article. 

It is evident that there are varying degrees of compliancy being adopted for the time being. The key point is that a website owner needs to be upfront with users and obtain consent by giving the user specific information about what they are agreeing to and provide them with a way to show their clear acceptance. Cookie warning messages can be displayed by way of message headers or footers or pop-up windows on the website of varying size and prominence and best practice is that they contain a link direct to the Cookie Policy. Therefore, it is understood that those setting cookies must:

1. Tell people that the cookies are there;

2. Explain what the cookies are doing;

3. Obtain consent to store a cookie on a user’s device; and,

4. Provide information in your Cookie Policy on the management and removal of cookies (or go a step further and provide a mechanism to instantly disable cookies).

COOKIE INFO IN COOKIE POLICY

Whichever method you choose to satisfy Requirement (2), in order to meet compliancy, it is advisable that you also provide a Privacy Policy wherein you reference cookies and a Cookie Policy itself wherein you can insert the Requirement (1) information, preferably presented in a table. You can find out more about what information can be used in Article 2 of 3 published by Hanne& Co under the paragraph headed “A Cookie Audit”.

CONCLUSION

Businesses need to consider the best way forward for their particular website to inform users about their use of cookies in detail and to obtain the requisite consent. The grace period expired on 26May 2012 and the law cannot be ignored! Given that the implementation of the new law is still experiencing teething problems, transparency should be the guiding principle of any business in its online activities.

Hanne & Co can help to provide you with the following:

(1) Suggested wording for a cookie warning message to be placed on your site;

(2) A Cookie Policy (and a Privacy Policy if you don’t have one);

(3) Advice and guidance on how best you can utilise these to meet the current legal obligations on a website owner; and,

(4) Undertake a review of any existing contracts you have with third party providers (or update company template precedent agreements) to ensure that you secure their commitment and agreement to be compliant with the law on cookies thereby reducing your risk.